UK Update: Why Data Protection is a Board Level Issue

The message is clear – data protection is a board level issue with board level consequences.  Cases such as the decision in Various Claimants v Morrisons Supermarkets PLC illustrate how organizations can be liable for data protection breaches by their employees. When the GDPR becomes effective on 25 May 2018, there will be consequences for your organization if steps are not taken now to ensure compliance, particularly, in the area of data security.

For details of this case and how GDPR will affect your organization read on…

Data Protection – Why It is a Board Level Issue

In Various Claimants v Morrisons Supermarkets PLC, Mr. Skelton was employed by Morrisons as a senior internal auditor and was subject to a disciplinary process, receiving a verbal warning. He was unhappy with that decision. Subsequently, he was asked to provide KPMG, the external auditors, with various elements employees’ personal data. He collected the data which was then sent it anonymously to a number of newspapers saying that the data was available on the web. A group of representing the 99,998 employees and former employees took action against Morrisons over the data breach. But, could Morrisons be held vicariously liable for the criminal acts of a rogue employee?

Morrisons were found liable even though they did not know nor ought they to have reasonably known that Mr. Skelton posed a threat to the employee database. It was found that there were no control mechanisms which could have prevented the data breach. Even though Morrisons did not directly misuse the data they were found to be vicariously liable for its misuse. The Court found that there was an “unbroken thread that linked [Mr. Skelton’s] work to the disclosure: what happened was a seamless and continuous sequence of events.” He had been deliberately entrusted with the data, his role was to collect and disclose it to KPMG, a third party. His actions in disclosing it elsewhere were closely related to his authorized acts. When he received the data, despite his covert intentions, he was acting as an employee.

Whilst this appears to be the first occasion in which proceedings have been taken against a data controller (Morrisons) by those whose data has been wrongfully disclosed, it is unlikely, given the frequency with which data breaches occur, to be the last. The finding that there was little else that could have been done and any actions would not have prevented the breach must be particularly galling given that Morrisons was found to be vicariously liable but demonstrate the importance of taking steps to prevent data breaches to avoid primary liability.

GDPR – A Board Level Issue

One of the aims of the GDPR is to give back control of personal data to individuals. As publicity around GDPR mounts and with express provision for class actions within the GDPR, this case could be the first of many more and demonstrates that data protection is very much a board issue that needs to be taken seriously. 

The Principles of data protection encompass transparency and accountability. Training and awareness is a key part of being able to demonstrate this. 

With less than 6 months to go is your organization GDPR ready?

By Boyes Turner, UK, a Transatlantic Law International affiliated firm.  

For further information or for any assistance regarding UK employment law, please contact  Barry Stanton at uklabor@transatlanticlaw.com. 

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.